> Back to All Posts

Inside the NetNut Botnet Takedown: 2M Devices Freed

NetNut botnet

A quiet piece of internet infrastructure just got a lot less useful for cybercriminals. The NetNut botnet takedown, carried out by Google’s Threat Intelligence Group, the FBI, Lumen Technologies, and The Shadowserver Foundation, has dismantled a residential proxy network built from roughly 2 million hijacked devices. The network, also known as “Popa,” gave hackers a way to disguise malicious traffic as ordinary home internet activity for years.

How NetNut Built Its Network

Residential proxy services route internet traffic through real household IP addresses instead of data center servers. Legitimate versions of this technology exist for market research and ad verification. NetNut’s version relied on devices that never agreed to participate.

Botnets fed the network its raw material. Criminals recruited devices through trojanized apps and an existing botnet called Badbox 2.0, which packaged in hidden proxy plugins. Once installed, those plugins turned ordinary hardware into an exit node for someone else’s traffic. Smart TVs and streaming boxes made up a large share of the compromised pool, alongside phones and computers. Most owners had no idea their devices were involved.

Two Million Devices, One Hidden Network

The scale here is what makes this case stand out. Investigators tracked at least 2 million infected devices tied to NetNut at any given time. In just one week of monitoring, Google’s threat researchers spotted 316 distinct threat clusters using NetNut’s exit nodes for their operations.

Some of those clusters ran ordinary cybercrime campaigns. Others carried out espionage-linked activity. Attackers used the network for credential stuffing, password spraying, and reaching into victim systems while hiding the true source of the traffic. Because the requests appeared to come from real residential addresses, security tools that flag data center IPs simply missed them.

The Takedown Effort Behind the Scenes

Breaking up a network this size required coordination across several organizations, each handling a different piece of the problem. The FBI seized the netnut.com domain along with several related domains, cutting off public access points tied to the operation.

Google took a more technical route. The company disabled command-and-control infrastructure that NetNut’s operators had been running on Google’s own systems. Play Protect, Android’s built-in malware scanner, also flagged and disabled infected apps directly on affected devices. Google then shared details on NetNut’s software development kits and backend infrastructure with law enforcement and other researchers, so the industry could recognize similar schemes going forward.

This isn’t an isolated case either. Google previously helped disrupt IPIDEA, another residential proxy network built the same way. Together, these actions suggest a longer campaign against proxy networks that rely on hijacked consumer devices, rather than a single one-off response.

Why This Matters for Everyday Users

Most people never think about residential proxy networks because they operate invisibly. That’s exactly the problem. A smart TV or streaming box sitting quietly in someone’s living room can become a tool for credential theft or espionage without any visible sign of compromise.

This is also where the contrast with legitimate privacy tools becomes clear. A reputable VPN routes your own traffic through servers you knowingly connect to, and you control when that connection starts and stops. Networks like NetNut do the opposite. They borrow someone else’s device and bandwidth without consent, then use that stolen trust to make attacks harder to trace. Anyone concerned about their home network joining one of these operations should keep device firmware updated and avoid installing apps from unverified sources, since that’s how many of these infections start.

The Proxy Industry’s Resilience Problem

Here’s the part that tempers the good news. Residential proxy providers often buy replacement capacity from each other after a takedown. The broader industry runs on reselling access to compromised device pools, so removing one network’s infrastructure doesn’t always solve the underlying issue.

Unless the botnets feeding these devices get cleaned up at the source, the same hardware can end up feeding a different proxy operation within weeks. That reality doesn’t diminish what these organizations accomplished here, but it does explain why disruptions like this one tend to be ongoing efforts rather than single victories.

Final Thoughts

The NetNut botnet takedown offers a rare look at how deeply residential proxy networks have embedded themselves into everyday devices. Two million compromised devices is a staggering number, and the fact that many were smart TVs and streaming boxes shows how far these operations have spread beyond typical malware targets.

Law enforcement and researchers scored a real win by seizing domains and disabling infrastructure at this scale. But the underlying business model, buying and reselling access to hijacked devices, means more takedowns are likely on the horizon. For now, the disruption offers a meaningful setback for the threat actors who relied on NetNut to hide in plain sight.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.